In general it is recommended to minimize number of ‘ SSIDs. Also, if the guest access is using hotspot access then single-SSID BYOD is recommended as the open SSID using hotspot portal cannot be used for initial BYOD portal at the same time. With Single-SSID BYOD, the endpoint associates to a secure WLAN gets onboarded then after the endpoint automatically reconnects the endpoint is granted full network access via same WLAN.
If guest access is utilizing one of the named guest account, then same guest portal can be used for employee BYOD portal. This flow is called Dual-SSID BYOD, where the endpoint is associated to a provisioning WLAN which is typically shared with guest access. When the ISE confirms that the user is an employee user, then ISE will direct the user to the BYOD flow where the endpoint gets onboarded. Once provisioned with the WLAN settings and possibly CA signed certificate, then the endpoint is reconnected to the secured WLAN for full network access.
Single SSID | Dual SSID | |
---|---|---|
Pros | User experience is better for iDevice users as SSID switching from OPEN to SECURED does not require user interventionThis is a unique capability of ISE where competitor solution forces user to login twice while ISE can take user information from 802.1X session without asking for the user to login again to the web portal | Some organizations prefer having a dedicated SSID for on-boarding devices.Can provide visible guidance to the user on the BYOD process before logging inBetter security: User can confirm that the BYOD server is legitimate as the user does not get prompted to manually trust the EAP certificateID Store is LDAP and cannot start with PEAP with MSCHAPv2 currently to LDAP storeWired deployment where cannot assume client already has 802.1X enabled on wired interfaceCan be configured to use secured SSID that is not broadcastingIn the case of dual-SSID flow, BYOD portal can be configured to allow guest access if employee does not want to go through the BYOD flow |
Cons | When end users connect to the SSID for the first time there is no easy way to validate whether server provided certificate is from the trusted source | Fast-SSID change setting needs to be enabled on the WLC to accommodate iOS devicesOthers see dual SSID as an extra management burden.A second SSID adds channel overhead and may degrade wireless performanceRequires iOS users to manually switch SSID |
Leave a Reply